Require authentication before making API calls

Otherwise anything might access the bus.

Note: This will not work if the user moves to another html page.  They
will not have a port/key passed in the query string of the URL, so
they won't be able to connect.
This commit is contained in:
Daniel Narvaez 2013-05-01 22:31:27 +02:00 committed by Manuel Quiñones
parent ff5612caee
commit 671ad1ae3e

View File

@ -41,12 +41,16 @@ class HTMLActivity(activity.Activity):
self.set_canvas(self._web_view) self.set_canvas(self._web_view)
self._web_view.show() self._web_view.show()
self._authenticated = False
self._server = Server() self._server = Server()
self._server.connect("session-started", self._session_started_cb) self._server.connect("session-started", self._session_started_cb)
port = self._server.start() port = self._server.start()
index_path = os.path.join(activity.get_bundle_path(), "index.html") index_path = os.path.join(activity.get_bundle_path(), "index.html")
self._web_view.load_uri('file://' + index_path + "?port=%s" % port) self._key = os.urandom(16).encode("hex")
self._web_view.load_uri("file://%s?port=%s&key=%s" %
(index_path, port, self._key))
self._apis = {} self._apis = {}
self._apis["activity"] = ActivityAPI(self) self._apis["activity"] = ActivityAPI(self)
@ -56,6 +60,15 @@ class HTMLActivity(activity.Activity):
def _message_received_cb(self, session, message): def _message_received_cb(self, session, message):
request = json.loads(message.data) request = json.loads(message.data)
if request["method"] == "authenticate":
if self._key == request["params"][0]:
self._authenticated = True
return
if not self._authenticated:
return
api_name, method_name = request["method"].split(".") api_name, method_name = request["method"].split(".")
method = getattr(self._apis[api_name], method_name) method = getattr(self._apis[api_name], method_name)